fix(observability): verify root-owned SigNoz bundle
This commit is contained in:
@@ -778,9 +778,9 @@ pending_verifiers:
|
||||
independent_export_verifier_sha256: cbab56dd3919866a96550c1dce46ec67783cd6f00473e4491861e17d1430048c
|
||||
isolated_restore_driver_sha256: 38ce70b3f891a3ce8edfaeb880ccf69d0bb6817c3f801a0aefa0f06341901997
|
||||
contract_tests_sha256: 474d9dfcfe170c62425356ea9f06ed0dc1629b39215ee80f395f721c7d43a923
|
||||
controlled_deployer_sha256: ca64829e8cd850d83b016a6207bf463da586a68a4c78571e7a8734c93deb4766
|
||||
deployer_tests_sha256: 2092164f254b7c8b9064f2ffb1859e6dd4213b627992373719b3d9bc8a6ae200
|
||||
test_terminal: 20_passed
|
||||
controlled_deployer_sha256: 2d0f7ae20ff8919dfc0f6caa1c3e346c0d8127d997ffa46f86a6e92df212e6f4
|
||||
deployer_tests_sha256: eb6acd4da593f75dbd26a0abfc6674a60221ef7eac91e2f679f8ac75e9eda43e
|
||||
test_terminal: 21_passed
|
||||
portable_assets:
|
||||
- dashboards
|
||||
- alert_rules
|
||||
|
||||
@@ -166,7 +166,11 @@ emit ai_decision pass "candidate_additive_immutable_inactive_source_deploy"
|
||||
emit risk_policy_decision pass "medium_no_active_pointer_no_secret_no_raw_sqlite"
|
||||
|
||||
remote_check() {
|
||||
bounded_ssh "${SSH_OPTIONS[@]}" "${TARGET_HOST}" bash -s -- \
|
||||
# The immutable root is deliberately 0700/root-owned. Run this bounded
|
||||
# verifier as root so it can distinguish exact from absent without relaxing
|
||||
# directory permissions. REMOTE_CHECK contains only stat/hash/process/API
|
||||
# reads and performs no writes.
|
||||
bounded_ssh "${SSH_OPTIONS[@]}" "${TARGET_HOST}" sudo -n bash -s -- \
|
||||
"${REMOTE_ROOT}" "${BUNDLE_ID}" "${REMOTE_TIMEOUT_SECONDS}" \
|
||||
"${KILL_AFTER_SECONDS}" "${SOURCE_HASHES[@]}" <<'REMOTE_CHECK'
|
||||
set -euo pipefail
|
||||
|
||||
@@ -174,6 +174,13 @@ def test_shared_operation_lock_is_existing_read_only_and_fail_closed() -> None:
|
||||
assert "exec 8>>/tmp/awoooi-signoz-backup-operation.lock" not in source
|
||||
|
||||
|
||||
def test_remote_check_uses_privileged_read_only_visibility() -> None:
|
||||
source = DEPLOYER.read_text(encoding="utf-8")
|
||||
remote_check = source.split("remote_check() {", 1)[1].split("\n}", 1)[0]
|
||||
assert '"${TARGET_HOST}" sudo -n bash -s --' in remote_check
|
||||
assert "REMOTE_CHECK contains only stat/hash/process/API" in remote_check
|
||||
|
||||
|
||||
def test_exact_five_file_supply_chain_and_modes_are_fixed() -> None:
|
||||
source = DEPLOYER.read_text(encoding="utf-8")
|
||||
for path in (
|
||||
|
||||
@@ -865,7 +865,7 @@ def evaluate(root: Path, contract_path: Path) -> dict[str, Any]:
|
||||
== len(METADATA_EXPORT_SOURCE_PATHS)
|
||||
and set(declared_metadata_export_hashes) == set(METADATA_EXPORT_SOURCE_PATHS)
|
||||
and declared_metadata_export_hashes == actual_metadata_export_hashes
|
||||
and metadata_export_source_contract.get("test_terminal") == "20_passed"
|
||||
and metadata_export_source_contract.get("test_terminal") == "21_passed"
|
||||
)
|
||||
offsite_backup = pending_verifiers.get("signoz_backup_offsite_dr", {})
|
||||
failed_artifacts = pending_verifiers.get(
|
||||
|
||||
@@ -877,7 +877,7 @@ def test_post_release_verifier_and_native_backup_close_with_remaining_gaps() ->
|
||||
field: hashlib.sha256((ROOT / relative).read_bytes()).hexdigest()
|
||||
for field, relative in metadata_paths.items()
|
||||
}
|
||||
assert source_contract["test_terminal"] == "20_passed"
|
||||
assert source_contract["test_terminal"] == "21_passed"
|
||||
assert source_contract["raw_sqlite_read"] is False
|
||||
assert source_contract["raw_volume_read"] is False
|
||||
assert source_contract["secret_value_persistence"] is False
|
||||
|
||||
Reference in New Issue
Block a user